ESRC reported a malicious HWP document disguised as a private rumor sheet using political, diplomatic and social gossip to entice Korean users. The activity was assessed as likely Thallium based on the document’s tactics and characteristics, including abuse of Hangul Office OLE rather than a traditional HWP exploit. User interaction executed an embedded HTA file that communicated with a C2 server and could collect PC information and receive further commands, while attempting to avoid analysis by checking for virtual-machine or sandbox environments. ESRC linked the technique to recent Thallium HWP campaigns using political and North Korea-themed lures and warned that updated software alone may not block OLE-based social engineering.